Install Arctic Wolf Agent using Group Policy Management

You can install Arctic Wolf® Agent on multiple Windows endpoints using the Group Policy Management Console (GPMC).

Note:

Agent is designed to maintain a minimal footprint on all systems, but Arctic Wolf recommends some OS requirements. Arctic Wolf cannot guarantee functionality on virtual machine (VM) environments if resources do not meet recommended levels.
Agent does not support ARM architecture.
Windows 8.1, 8, 7, and Windows Server 2008 R2 are only supported on Agent version 2023-02_138.
Group Policy installation does not currently support VPN-connected endpoints.

These resources are required:

To correctly view Agent risks in the Unified Portal, Windows Agent version 2023-02_138 or later is required
Administrator permissions or the ability to do administrator or root level functions
One of these operating systems:
- Windows 11 for 64-bit systems
- Windows 10 Pro for 64-bit and 32-bit systems
- Windows Server 2025, 2022, 2019, 2016, 2012 R2, or 2012 for 64-bit systems
- Windows 11 IoT or Windows 10 IoT for 64-bit systems
- If you plan to use Sysmon with Agent, Sysmon has these operating system requirements:
  - Windows 10 or newer for 64- and 32-bit systems
  - Windows Server 2016 or newer for 64-bit systems
These system resources:
- A x64 or x86 processor
- At a minimum:
  - A dual-core CPU
  - 2 GB of memory
  - 50 MB of disk space

These actions are required:

Confirm the installation location. Install Agent on the same drive as your ProgramFilesFolder, such as Program Files or Program Files (x86). This is usually the C:\.
Make sure outbound access is available for ports 443 and 1514.

To install Sysmon for Agent on Windows, see Install Sysmon on Windows devices. Sysmon is a Microsoft product that provides detailed information about processes, file systems, and network activity. When installed on Windows endpoints, Sysmon helps Agent detect endpoint activity for the MDR service.
To install the Agent Containment Driver, see Install the Arctic Wolf Agent Containment Driver on Windows using the Arctic Wolf Unified Portal. Containment is a feature of our MDR service that allows Arctic Wolf to isolate network traffic on the Windows Agent host.

Configure your environment firewall

Configure your firewall to allow traffic to Agent DNS hostnames.

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Resources > Allowlist Requirements.
Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.

Note:
Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.

Add Agent processes to the allowlist

If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:

Configure your security systems to allow the processes listed in Arctic Wolf Agent processes.
Tip:
Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a Windows endpoint, define a rule that applies to one of these file paths based on your Windows operating system (OS):
- Windows 64-bit OS — C:\Program Files (x86)\Arctic Wolf Networks\
- Windows 32-bit OS — C:\Program Files\Arctic Wolf Networks\
Add the files listed in Arctic Wolf Agent hash values to all allowlists.
If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

See the technical documentation for the security systems that you are configuring for more information.

Download the Agent installer

This step is optional.

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Resources > Downloads.
In the Arctic Wolf Agent section, in the Operating System list, select the required operating system.
Click Download Agent.
Copy the UUID value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.
Extract the contents of the Agent zip file.

The MSI file and customer.json file are extracted.
Make sure that the MSI file and customer.json file are extracted into the same folder.

CAUTION:

Do not edit the customer.json file. Editing this file causes installation errors.
Do not save the Agent installer or customer.json to a location with public access. Keep the customer.json file confidential.

Trust Agent scanner signed files

You must trust Agent scanner signed files to ensure Agent vulnerability and benchmark scanning is not impacted by other endpoint security tools installed on the endpoint.

If you partnered with Arctic Wolf as an Aurora Vulnerability Management (Aurora VM) customer before December 11, 2025, your vulnerability and benchmark scanning uses the PowerShell console by default. Scans fail if the console usage is blocked by endpoint security tools.

As of December 11, 2025, Arctic Wolf uses signed PowerShell scripts by default. Do one of these actions to ensure successful scans:

If you partnered with Arctic Wolf before this date and you want this feature, complete the Trust Agent scanner signed files on Windows procedure, and then contact your Concierge Security® Team (CST) to enable this feature.
If you partnered with Arctic Wolf on or after this date, complete the Trust Agent scanner signed files on Windows procedure.

Enable VBScript

VBScript must be enabled to install Arctic Wolf Agent.

If you have disabled VBScript, you must re-enable this Windows feature.

Go to Start > Settings > System > Optional features.
Select View features.
In the search dialog, enter VBSCRIPT, and then select the check box for the VBScript search result.
To enable the VBScript feature, click Next.

Create a distribution point on the publishing server

For each user or machine, complete these steps:

Sign in to the server with administrator permissions.
Create a shared network folder for the installation files.
In the new window, right-click the Agent object, and then click Properties.
Click the Security tab.
Select a group or user.
In the Apply Group Policy section, select the Allow checkbox.

The policy is applied to the specified groups.
Click OK.

Create an Arctic Wolf Agent Group Policy Object

Click Start, and then open the GPMC.
In the navigation menu, click Forest: <DomainName>, where DomainName is the name of your domain, and then click the Domains folder.
Right-click the domain name. If you:
- Already have an Agent GPO — Select Link an Existing GPO, and then click Edit.
- Do not have an existing Agent GPO — Create a new GPO:
  1. Select Create a GPO in this domain, and Link it here.
  2. In the New GPO dialog box, enter a name for the new GPO.
  3. Verify that the Source Starter GPO menu says (none).
  4. Click OK.
    Tip:
    To assign a security group and make sure that Agent is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.
  5. Right-click the new GPO, and then click Enforced to enable it.
    The GPO is enabled. A lock appears on the GPO icon in the navigation menu.
  6. Right-click the new GPO, and then select Edit.
In the new window, right-click the Agent object, and then click Properties.
Click the Security tab.
Select a group or user.
In the Apply Group Policy section, select the Allow checkbox.

The policy is applied to the specified groups.
Click OK.

Create and assign the Agent package

Open the GPMC.
Right-click the Agent object that you created, and then click Edit.
In the navigation menu, click Computer Configuration > Policies > Software Settings.
Right-click Software Installation, and then click New > Package.
In the Open dialog, enter the full Universal Naming Convention (UNC) path of the distribution point containing the MSI file.
Select the MSI file to create the Agent package.
Click Open.
Click Assigned, and then click OK.

The package is added to the Group Policy window.
Close the Group Policy snap-in, and then click OK to exit.

Verify Agent package assignment

Note:

If the Agent object or policy applies to a client device and is assigned to that device, and the distribution point is accessible, Agent automatically installs silently when that device restarts.

In a terminal, run this command:
SHELL
gpupdate /force
```
gpupdate /force
```
Example of expected output:
BASH
Computer Policy update has completed successfully. . . . Certain Computer policies are enabled that can only run during startup.
```
Computer Policy update has completed successfully.
.
.
.
Certain Computer policies are enabled that can only run during startup.
```
When prompted, enter Y to restart your device and install Agent.
After your device restarts, sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Data Collection > Agents.
In the Agents table, verify that the Agent installed on your device appears.

Note:
If the Agent installed on your device does not appear in the Agents table within 1-2 minutes of device restart, contact your CST at security@arcticwolf.com.